Digest using an external database for the Password

Mike Brennan mbrennan at thrupoint.com
Tue Apr 30 16:09:05 CEST 2013

Ok - I think I get it........, if I just want to use the default I should
remove the soft link in the site-enabled to the inner-tunnel. This should
be sufficient for my deployment at the moment - although I will be looking
into clustering this and using potentially LVS (this no doubt will be
another world of pain - my database backend is going to be an Oracle

As for RFC 4590 support,  I believe IEA Software support it. I confused
the fact that on your web site you list RFC 4590 in the "list of RFCs" as
a tacit indication of support. Is RFC 4590 on your roadmap?

The client generating the DIGEST  is an ACME SBC it supports a number of

Sorry for being a pain


-----Original Message-----
From: freeradius-users-bounces+mbrennan=thrupoint.com at lists.freeradius.org
[mailto:freeradius-users-bounces+mbrennan=thrupoint.com at lists.freeradius.o
rg] On Behalf Of Alan DeKok
Sent: 30 April 2013 13:36
To: FreeRadius users mailing list
Subject: Re: Digest using an external database for the Password

Mike Brennan wrote:
> From the previous e-mail I put the sql query in the inner-tunnel (this
> was confirmed by Alan), however, I think this maybe incorrect - I
> believe it should go in the default file (AM I CORRECT?)

  (a) you can wander around making random changes to "fix" things, or

  (b) you can understand what's going on.

  It's not hard.  And no, I'm not going to spoon-feed you.  The answer is
in front of you.  It's in the debug logs you posted.  Have you read them,
looking for "inner-tunnel"?

> The other test fails - see the following two files:
> rfc4590_freeradius_debug and the radiusclient_rfc4590. The
> authentication fails, I suspect that the attributes passed seems to
> cause FreeRadius to reject the authentication. Not sure whether it is
> the client causing the trouble with erroneous setting of the
> attributes or whether Freeradius is interpreting them incorrectly

  FreeRADIUS doesn't implement RFC 4590.  So far as I've seen, no one else
does, either.

> It would be good to get to the bottom of the problem with using RFC
> 4590 - I hope the debug files help. In the debug some fields are set
> as removed - this is what I replaced sensitive information with.

  What client are you using to generate the digest authentication?

  Alan DeKok.
List info/subscribe/unsubscribe? See
Note: The information contained in this message may be privileged and confidential 
and protected from disclosure. If the reader of this message is not the intended 
recipient, or an employee or agent responsible for delivering this message to the 
intended recipient, you are hereby notified that any dissemination, distribution or 
copying of this communication is strictly prohibited. If you have received this 
communication in error, please notify us immediately by replying to the message and 
deleting it from your computer. Thank you. Thrupoint, Inc.

More information about the Freeradius-Users mailing list